What are the best DNS Servers for privacy use?

[opnsenseuser]

There is 1.1.1.1 and 9.9.9.9 but are there any other Servers?
I read on the internet that opendns is not recommended because they are related to hijacking nxdomain records and serving up their ad page?

does anyone know safe and fast dns server?

Thx,
Regards
Rene

[mimugmail]

https://dnscrypt.info/public-servers/

Some of them probably support plain dns. dnscrypt plugin will comes in a few weeks ..

[tofaz]

I have tried to check the link but apparently the webiste is down.

[mimugmail]

Hm, works for me

[tofaz]

This morning I tried from my connection and VPN and it was down. I confirm it is back online now.

[opnsenseuser]

https://dnscrypt.info/public-servers/

Some of them probably support plain dns. dnscrypt plugin will comes in a few weeks ..

I
Thx for your help.

Two questions:

1. how can i find out if my provider blocks my dns Servers? see https://www.dnsleaktest.com/what-is-transparent-dns-proxy.html

2. Does opnsense offer the possibility to do something about this?

3. how can i find out which dns Server of my list my Firewall currently uses?
Can i use nslookup on the Firewall?


Regards rene

[opnsenseuser]

Hm, works for me

ok, i found out that my provider uses a transparent dns proxy!
So my provider can log every visited website from me.

Can I do anything with opnsense here?

regards rené

[bartjsmit]

Hi René

Can I do anything with opnsense here?

You currently have two options:

1. Find a better provider 
2. Sign up with a VPN and run all your outbound traffic through them

Once the dnscrypt plugin is added to OPNsense, this will no longer be a problem.

Bart...

[opnsenseuser]

Hi René

Can I do anything with opnsense here?

You currently have two options:

1. Find a better provider 
2. Sign up with a VPN and run all your outbound traffic through them

Once the dnscrypt plugin is added to OPNsense, this will no longer be a problem.

Bart...

thx for your help!

1. so if dnscrypt plugin is added i don´t need to use vpn ?
2. this works synonymous with squid or is that in no connection ?

regards
rené

[bartjsmit]

Hi René,

Yes, DNS will flow securely through dnscrypt which will foil any attempt to transparently proxy the traffic, since that will be seen as a MITM attack. The two benefits of secure protocols are encryption and verification of endpoints.

Squid services a different protocol although it is susceptible to transparent proxies as well; your ISP can transparently inspect and proxy any HTTP traffic, but HTTPS traffic is protected.

Bart...

[opnsenseuser]

Hi René,

Yes, DNS will flow securely through dnscrypt which will foil any attempt to transparently proxy the traffic, since that will be seen as a MITM attack. The two benefits of secure protocols are encryption and verification of endpoints.

Squid services a different protocol although it is susceptible to transparent proxies as well; your ISP can transparently inspect and proxy any HTTP traffic, but HTTPS traffic is protected.

Bart...

Thx for your Information. :-)

In which opnsense release will the new plugin appear?

[mimugmail]

It's under review, just watch the open PRs

[opnsenseuser]

It's under review, just watch the open PRs

Hope to See this Plugin soon!

[opnsenseuser]

It's under review, just watch the open PRs

https://github.com/opnsense/plugins/pull/965 "merged" ! great work! :-)


is there also a howto in which I could solve the problem described by me!


i mean this -> "my provider uses a transparent dns proxy!" -> how can i solve this , that my Provider can´t read my sites i visited using this plugin?

regards rené

[mimugmail]

With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

Then your DNS is forwarded via port 853 so it wont be intercepted ...